[Bug 1153847] New: Unable to boot with SecureBoot enabled in BIOS
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 Bug ID: 1153847 Summary: Unable to boot with SecureBoot enabled in BIOS Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: jsrain@suse.com Reporter: imax@posteo.org QA Contact: jsrain@suse.com Found By: --- Blocker: --- I'm unable to do a fresh tumbleweed install with SecureBoot enabled. After selecting usb device in boot menu i get a black screen not responding anymore. Pushing Esc after some time leads to an error message with system freeze: Failed to load image: Security Policy Violation When i disable SecureBoot i can boot fine.To exclude possible mistakes: - USB installer created with SUSE ImageWriter - Checksums are all fine - selected right entry in boot menu to boot usb-stick in UEFI mode Other distro's (Ubuntu, Debian, Fedora) officially supporting SecureBoot are working fine out of the box with SecureBoot enabled. With Leap i get the same behavior as described above. Is there something wrong with the signatures? regards -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c2 --- Comment #2 from Ivo Lux <imax@posteo.org> --- Well, my machine is quite new: AMD Ryzen 5 2600 on an ASRock B450m Pro4 Mainboard. BIOS Version is 3.30 (21.5.2019). There are existing newer versions, but they are not recommended with my processor generation (only newer). But the strange thing is that other Distros boot fine. I don't know what's the difference between openSUSE and the others and how to troubleshoot this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c3 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com --- Comment #3 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- Unfortunately, there appears to be newer hardware that also doesn't support multi-signed shim. We see that in forum posts. Check https://en.opensuse.org/openSUSE:UEFI and scroll down to the heading "Booting the Machine that supports only one signature with vendor provided Keys" It suggests a workaround. And you can use that workaround as a way of testing whether that is the problem. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c6 --- Comment #6 from Ivo Lux <imax@posteo.org> --- (In reply to Neil Rickert from comment #3)
Unfortunately, there appears to be newer hardware that also doesn't support multi-signed shim. We see that in forum posts.
Check https://en.opensuse.org/openSUSE:UEFI and scroll down to the heading "Booting the Machine that supports only one signature with vendor provided Keys"
It suggests a workaround. And you can use that workaround as a way of testing whether that is the problem.
I tried the suggested workaround. But nothing changed. Same behavior as before. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c7 --- Comment #7 from Ivo Lux <imax@posteo.org> --- Created attachment 821754 --> http://bugzilla.opensuse.org/attachment.cgi?id=821754&action=edit dmidecode -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c9 --- Comment #9 from Ivo Lux <imax@posteo.org> --- Created attachment 821777 --> http://bugzilla.opensuse.org/attachment.cgi?id=821777&action=edit mokutil --pk -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c10 --- Comment #10 from Ivo Lux <imax@posteo.org> --- Created attachment 821779 --> http://bugzilla.opensuse.org/attachment.cgi?id=821779&action=edit mokutil --kek -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c11 --- Comment #11 from Ivo Lux <imax@posteo.org> --- Created attachment 821780 --> http://bugzilla.opensuse.org/attachment.cgi?id=821780&action=edit mokutil --db -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c13 --- Comment #13 from Ivo Lux <imax@posteo.org> --- I checked the System time and set it correctly. It was 2 hours behind. But unfortunately nothing changed. As I described above, other Distros i tested (Debian, Ubuntu and Fedora) are booting fine. And when i'm right informed they are all using the same microsoft keys. But I still want to use openSUSE :) I will try the next days other hardware from friends, so i will see if i can reproduce my issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c15 --- Comment #15 from Ivo Lux <imax@posteo.org> --- On my disk is openSUSE Tumbleweed installed, but without the possibility to use the secureboot ability. mokutil -l gives me: "MokListRT is empty" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c16 --- Comment #16 from Ivo Lux <imax@posteo.org> --- Created attachment 821946 --> http://bugzilla.opensuse.org/attachment.cgi?id=821946&action=edit efibootmgr -v -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c17 --- Comment #17 from Ivo Lux <imax@posteo.org> --- Created attachment 821947 --> http://bugzilla.opensuse.org/attachment.cgi?id=821947&action=edit mokutil --dbx -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c20 --- Comment #20 from Ivo Lux <imax@posteo.org> --- Yes, that does the trick! Confirming the "blue dialog" blindly brought me a step further. In addition i had to disable CSM (Compatibility Support Module) in my BIOS and now i can boot fine from Hard Disk and USB with SecureBoot enabled. Thanks for all your help. But what do you mean causes this issue: is it a poor UEFI implementation or has it something to do with my not so common screen resolution (1440x900)? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c21 --- Comment #21 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
is it a poor UEFI implementation or has it something to do with my not so common screen resolution (1440x900)?
I'm using 1440x900 resolution. I am not having any problems. Maybe your UEFI firmware cannot handle that resolution, but the problem is not the resolution alone. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1153847 http://bugzilla.opensuse.org/show_bug.cgi?id=1153847#c25 Arnav Singh <opensuse@arnavion.dev> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse@arnavion.dev --- Comment #25 from Arnav Singh <opensuse@arnavion.dev> --- I also have an ASRock motherboard (X399 Phantom Gaming 6). For some reason, I do *not* have any problem booting after enabling SecureBoot. SB is enabled in the mobo firmware settings, the OS was loaded via UEFI, and `dmesg` confirms "Secure boot enabled" and "Loaded X.509 cert 'openSUSE Secure boot Signkey: ..." I'm not sure why I did not have a problem given that MokManager never showed up to ask me to accept openSUSE's signing cert. That said, I definitely have the problem that MokManager doesn't render, which is preventing me from doing `mokutil --disable-validation` / `mokutil --enable-validation`. I tried pressing the keys blindly as described in [1] but it does not work; I assume I have the second answer's layout (the one that asks for individual characters of the password) but I don't see a reboot happening after pressing the final Enter according to that answer. Upstream closed the issue with a fix [2] but then seems to have force-pushed it out of history because they did not mean to release it just yet, so they have a new PR [3]. It's not clear when they plan to release a version with that fix. Could OpenSUSE patch in that PR for the sake of us ASRock users? If I understand correctly, me building the shim rpm locally with rpmbuild would not work because it would not be signed by Microsoft's key. If that's wrong and it would work fine, then please say so and I'd be happy to test it with the patch applied. But since the original author of #271 tested it on their ASRock board, I assume it'll work correctly. [1]: https://askubuntu.com/questions/950395/mok-management-will-not-load-on-boot (both the first and second answers). [2]: https://github.com/rhboot/shim/pull/271 [3]: https://github.com/rhboot/shim/pull/428 -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com